The event logs on a Windows Server are helpful in troubleshooting system errors and for monitoring performance and activity. Server event logs contain data that relate to the operating system, system components and applications running on the server. Event log entries include details related to the type of incident such as: a data and time of the incident, the name of the computer, the currently logged on user and other important information like event ID, category and source of the event. Sometimes the event includes additional information on the incident and may contain a link to where more information can be found. These links can help further troubleshoot the incident.
Types of Windows Server Event Logs
When installing a windows server there are several default event logs on the server. If the server is setup to perform other functions such as DNS or Active Directory it will include additional event logs.
The default event logs on a windows server are:
Application Event Logs: Tracks application related events (for example, some applications will generate informational events that get recorded. Applications also generate errors such as failing to install or execute).
System Event Logs: Records events related to the server operating system, such as starting up or a system reboot, services and hardware events.
Security Event Logs: Tracks events such as logon, logoff, bad password, and object access. By default not all security features are enabled you will need to enable auditing on the local system or Domain Controller to track certain security events. The auditing policy can be found in group policy under computer settings -> Windows Settings -> Security Settings -> Audit Policy.
Additional Event Logs that are included on a Windows Domain Controller:
DFS Replication – Includes events on the Distributed file system service.
Directory Services – Events related to Active Directory services. Sources include AD Domain Services, Online defragmentation of database, LDAP Interface.
DNS Server – Records activity on the DNS service.
File Replication Services – Tracks events on the file replication services on the Domain Controller.
Configuring Event Log options
It’s important to know the default logging options on your windows server. Depending on the system you may need to adjust these default settings to meet security or organizational needs. The event logs can provide critical information when troubleshooting server errors so the logging options need to be reviewed in the planning phase of your servers.
By default the logging options are set to:
- Stored in the %Windir%\system32\config folder
- Max size of log file 16MB
- Overwrite events more than 7 days old
The default settings should be reviewed before putting a new Windows Server into production. Below are some recommend settings for configuring the event logs on your servers:
1.Increase the size limit of each log file. The event logs can fill up fast so it is recommend to increase the default size limit to allow for storage of more events. I increase the application, security and system log files to 60MB
2. If you do not need to archive events set the retention method to overwrite events as needed.
3. Prevent local quests group from accessing the system log. You do not want unwanted users poking around in your log files so set this to enable for the application, system and security logs.
If you have a large amount of windows servers you can use group policy to configure these settings on all the servers. You must be running Active Directory and all the servers be a member of its domain in order to use group policy. These settings are found under Computer Configuration -> Windows Settings -> Security Settings -> Event Log in Group Policy Object Editor:
Searching events using the Event Viewer
The Event Viewer is a built in tool that allows you to view the event log entries. You open Event Viewer by clicking start -> control panel -> system and maintenance -> and double clicking event viewer. I take a short cut and click start -> run and type in eventvwr and hit enter.
When you open event viewer and select the log file it will display the most recent events at the top. Depending on which log file and what options you have chose to log there can be an overwhelming amount of log files to review. Event viewer includes a search and filter option. This allows you to quickly search for certain events or type in a particular event ID to filter on. This comes in handy when you have an idea of what you’re looking for. To use the search click on the log file type (for example the application log files) the go to view -> filter. From here you have several options to choose from for filtering the search results.
You can also purchase software that will monitor the event logs on all your servers and analyze the logs. If you have many servers and have the budget for it I would invest in log management software. This will help automate the process of reviewing all the log files; provide automation and notification on defined events.
Incoming search terms:
- the types of event logs found in windows 7 include
- DC event logs
- track jpg in event viewer
- which folder to find windows server event logs
- windows logs 16mb how long
- windows server dc event log size
- windows server event viewer
- windows server event viewer analyzer
- windows server important event logs
- server event viewer - types of logs